Jump to content

VHO:Trojan.Win32.Krycka.gen detected in Golang go.exe.


Recommended Posts

Hello,

 

I’m wondering if anyone has any information on this potential virus that Kaspersky alerted me to and then removed?

 

The path of the trojan was “C:\Users\<MyUserName>\AppData\Local\Temp\go-build505455790\b001\exe\main.exe”

 

At first I thought it was a false positive because I had just run a Golang project I was working on before the alert. The only potentially relevant thing I have recently downloaded (using “go get”) was this library https_//github.com/denisenkom/go-mssqldb.  I have since removed it just in case.

 

I haven’t been able to find anything specific about this virus online.

 

Any information one could offer on how this could’ve gotten on my PC and what sort of damage it might have done would be greatly appreciated!

 

Mod Edit : Link disabled

Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...

I think I'm facing a similar issue. This program:

// Copyright © 2016 Alan A. A. Donovan & Brian W. Kernighan.
 
// See page 4.
//!+
 
// Echo1 prints its command-line arguments.
package main
 
import (
    "fmt"
    "os"
)
 
func main() {
    var s, sep string
    for i := 1; i < len(os.Args); i++ {
        s += sep + os.Args[i]
        sep = " "
    }
    fmt.Println(s)
}
 
//!-

runs normally like this:
> go run main.go one two three
one two three

But when I modify it to debug the sep variable:

package main
 
import (
    "fmt"
    "os"
)
 
func main() {
    var s, sep string
    fmt.Println("{", sep, "}")
    for i := 1; i < len(os.Args); i++ {
        fmt.Println("<", sep, ">")
        s += sep + os.Args[i]
        sep = " "
    }
    fmt.Println(s)
}

then I get this:

PS C:\Users\Ricardo\Documents\workspace\go\rdirani\gopl.io\ch1\echo1> go run echo1.go one two three
fork/exec C:\Users\Ricardo\AppData\Local\Temp\go-build1657779692\b001\exe\echo1.exe: Access is denied.

And Kaspersky records this:

Event: Application placed in restricted group
Component: Application Control
Name: VHO:Backdoor.MSIL.Crysan.gen
Object name: Untrusted
Reason: Detected: VHO:Backdoor.MSIL.Crysan.gen

and it doesn't give me any option to report this as a false positive.
Interestingly, if I build it, it doesn't get flagged:

PS C:\Users\Ricardo\Documents\workspace\go\rdirani\gopl.io\ch1\echo1> ./echo1 one two three
{  }
<  >
<   >
<   >
one two three
 

Link to comment
Share on other sites

16 hours ago, Ricardo D. said:

I think I'm facing a similar issue. Kaspersky records this:

Spoiler

Event: Application placed in restricted group
Component: Application Control
Name: VHO:Backdoor.MSIL.Crysan.gen
Object name: Untrusted
Reason: Detected: VHO:Backdoor.MSIL.Crysan.gen

and doesn't give me any option to report this as a false positive.
if I build it, it doesn't get flagged. 

 

Hello @Ricardo D.

Welcome!

Use Kaspersky Threat Intelligence Portal, to Scan the Untrusted object, when the result shows, select Submit to reanalyze, fill in the pop-up window with: (your) email address & as much detail as possible, select Submit; the file will be sent to Kaspersky's Virus Lab & you should receive a response in due course. 

The alternative is: log a case with support, select either Chat or Email, select Malware, False Positive template, zip the detected file & password protect the zip archive with a password, either: malware or infected as the password → make sure you tell support the password, ask support to send the case to Virus Lab for them to determine if it’s a False positive; include the *SAVED* report from the Kaspersky software. 

  • Please share the outcome with the Community, when it's available? 

Thank you🙏
Flood🐳+🐋

Edited by Flood and Flood's wife
Link to comment
Share on other sites

  • 3 weeks later...

I found a workaround for this:
https://stackoverflow.com/questions/34033790/go-programs-hanging-on-windows-10

The trick is to set this environment variable:
go env -w GOTMPDIR="C:\Users<user>\go\tmp"

Now go run creates the executable there instead of in /tmp. Kaspersky doesn't seem to be bothered by that. I had disabled Kaspersky and was using Windows Defender when I applied that solution, and it still complained, but then I added an exclusion to that folder and it fixed the issue. Now I've reinstalled Kaspersky and it is also working fine with go run now.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.